Lucas De Marchi

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.13.0-rc4-xe+ **Description** The issue is related to the Linux kernel's drm/xe component. When the GuC (Graphics Unit Controller) fails to load, the driver becomes unresponsive, but it attempts to perform actions that may not be initialized yet. This can lead to a NULL pointer dereference. The problem can be triggered by forcing a signature failure in the GuC binary. The error messages indicate a failure in the firmware signature verification and a critical error declaring the device as wedged. **Recommendations** To resolve the issue, update the Linux kernel to a version that includes the fix for the drm/xe component, specifically the change that moves the xe gt tlb invalidation init() function to be called earlier by xe gt init early(). As a temporary workaround, consider disabling the `xe gt tlb invalidation reset()` function until a patch is available. Restrict access to the vulnerable `drm/xe` module to minimize the risk of exploitation. Avoid using the `GuC` binary in a way that could force a signature failure until the issue is resolved.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel. The issue occurs when userspace holds an fd open, unbinds the device, and then closes it, causing the driver to attempt to access the hardware. This is fixed by using `drm dev enter()`/`drm dev exit()` to protect against the fault. The vulnerability results in a page fault, specifically a supervisor read access in kernel mode with an error code of 0x0000, indicating a not-present page. The functions involved include `xe lrc update timestamp()`, `xe exec queue update run ticks()`, `xe exec queue fini()`, ` guc exec queue fini async()`, `guc exec queue fini async()`, `guc exec queue fini()`, `xe exec queue destroy()`, `xe file close()`, `drm file free()`, `drm close helper.isra.0()`, and `drm release noglobal()`. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability in the Linux kernel has been resolved. The issue is related to the drm/xe/reg sr register pool implementation, which does not work correctly. If the krealloc function moves the memory and returns a different address, the entries in the xarray become invalid, leading to a use-after-free error later. This error can occur in the xe reg sr apply mmio function. The vulnerability was identified by the KASAN (Kernel Address Sanitizer) tool. **Recommendations** To resolve the issue, simplify the code to fix the bug. A better pooling strategy may be added back later if needed. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue concerns a "Missing outer runtime PM protection" warning in the Linux kernel, specifically in the drm/xe/oa component. This warning is associated with a drm WARN message that includes function calls such as `xe pm runtime get noresume`, `guc exec queue add msg`, `guc exec queue fini`, `xe exec queue destroy`, and `xe oa release`. The problem has been resolved, but details about the number of potentially affected devices or real-world incidents are not provided. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to a use-after-free (UAF) vulnerability in the `send recv()` function, specifically in the `drm/xe/ct` module of the Linux kernel. This vulnerability can be exploited to impact the confidentiality, integrity, and availability of protected information. The vulnerability arises due to the lack of proper synchronization with the completion side, which can lead to a fence going out of scope on the stack before the timeout. Additionally, there are dependent loads and stores that require correct ordering, but the necessary barriers are lacking. The fix involves grabbing the `ct->lock` after the wait to ensure proper serialization. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** A vulnerability has been resolved in the Linux kernel, specifically in the drm/xe component, where an opregion leak was fixed. The issue was related to the setup and cleanup of the display, which ideally should be done by the display itself. However, this requires a bigger refactor to be done on both i915 and xe. For now, the leak has been fixed. The vulnerability was related to an unreferenced object, and a backtrace is provided, showing the functions involved, including `kmemleak alloc`, `kmalloc trace noprof`, `intel opregion setup`, and others. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.